<html>
<head><meta charset="utf-8"><title>crates.io security · wg-secure-code · Zulip Chat Archive</title></head>
<h2>Stream: <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/index.html">wg-secure-code</a></h2>
<h3>Topic: <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates.2Eio.20security.html">crates.io security</a></h3>

<hr>

<base href="https://rust-lang.zulipchat.com">

<head><link href="https://rust-lang.github.io/zulip_archive/style.css" rel="stylesheet"></head>

<a name="136146133"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates.io%20security/near/136146133" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates.2Eio.20security.html#136146133">(Oct 19 2018 at 23:53)</a>:</h4>
<p>This is an interesting idea: <a href="https://internals.rust-lang.org/t/pre-rfc-packages-as-namespaces/8628" target="_blank" title="https://internals.rust-lang.org/t/pre-rfc-packages-as-namespaces/8628">https://internals.rust-lang.org/t/pre-rfc-packages-as-namespaces/8628</a></p>



<a name="136164756"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates.io%20security/near/136164756" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates.2Eio.20security.html#136164756">(Oct 20 2018 at 11:13)</a>:</h4>
<p>On one hand this is not invasive, on the other I have no idea what problem this proposal is trying to solve.</p>



<a name="136164759"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates.io%20security/near/136164759" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates.2Eio.20security.html#136164759">(Oct 20 2018 at 11:13)</a>:</h4>
<p>Also, if you think that the current situation is a lot of drama, just wait till somebody starts typosquatting.</p>



<a name="136187080"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates.io%20security/near/136187080" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates.2Eio.20security.html#136187080">(Oct 20 2018 at 22:22)</a>:</h4>
<p>haha</p>



<a name="136187096"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates.io%20security/near/136187096" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates.2Eio.20security.html#136187096">(Oct 20 2018 at 22:23)</a>:</h4>
<p>IMO the best solutions to this particular incident are IP address and/or account-based rate limiting with exponential backoff</p>



<a name="136187100"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates.io%20security/near/136187100" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates.2Eio.20security.html#136187100">(Oct 20 2018 at 22:23)</a>:</h4>
<p>somehow those sort of mitigations aren't really being discussed in those threads. alas</p>



<a name="136187102"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates.io%20security/near/136187102" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates.2Eio.20security.html#136187102">(Oct 20 2018 at 22:23)</a>:</h4>
<p>they are a little bit</p>



<a name="136198450"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates.io%20security/near/136198450" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Joshua Liebow-Feeser <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates.2Eio.20security.html#136198450">(Oct 21 2018 at 04:26)</a>:</h4>
<p>Good opportunity for a little proof-of-work based spam-protection crate. It's a fun idea that nobody, to my knowledge, actually does. TLDR: You must have a valid token to make a request. In order to get a token, you must solve a proof-of-work problem. Each token is rate limited, so the maximum speed allowed is whichever of (per-token rate limit) and (rate of solving proof-of-work problems) is faster. Easily tunable so that you achieve numbers that you like, and minimally invasive to users who are behaving nicely.</p>



<a name="136227918"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates.io%20security/near/136227918" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates.2Eio.20security.html#136227918">(Oct 21 2018 at 20:17)</a>:</h4>
<p><span class="user-mention" data-user-id="132362">@Joshua Liebow-Feeser</span> there was this thing, heh... didn't go anywhere <a href="https://www.ietf.org/archive/id/draft-nygren-tls-client-puzzles-02.txt" target="_blank" title="https://www.ietf.org/archive/id/draft-nygren-tls-client-puzzles-02.txt">https://www.ietf.org/archive/id/draft-nygren-tls-client-puzzles-02.txt</a></p>



<a name="136230532"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates.io%20security/near/136230532" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Joshua Liebow-Feeser <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates.2Eio.20security.html#136230532">(Oct 21 2018 at 21:32)</a>:</h4>
<p>Having worked at Cloudflare, my guess is that the reason it didn't go anywhere is that you don't need to be that fancy. Spammers/crawlers/etc are surprisingly unsophisticated. No reason we couldn't do it, though; it's laughably easy to build.</p>



<a name="177068764"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates.io%20security/near/177068764" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates.2Eio.20security.html#177068764">(Oct 01 2019 at 15:52)</a>:</h4>
<p>interesting paper on npm ecosystem security, relevant to <a href="http://crates.io" target="_blank" title="http://crates.io">crates.io</a> <a href="https://www.usenix.org/system/files/sec19-zimmermann.pdf" target="_blank" title="https://www.usenix.org/system/files/sec19-zimmermann.pdf">https://www.usenix.org/system/files/sec19-zimmermann.pdf</a></p>



<a name="177578941"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates.io%20security/near/177578941" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates.2Eio.20security.html#177578941">(Oct 08 2019 at 02:25)</a>:</h4>
<p>good idea <span aria-label="wink" class="emoji emoji-1f609" role="img" title="wink">:wink:</span> <a href="https://twitter.com/pcwalton/status/1181394377081442304" target="_blank" title="https://twitter.com/pcwalton/status/1181394377081442304">https://twitter.com/pcwalton/status/1181394377081442304</a></p>
<div class="inline-preview-twitter"><div class="twitter-tweet"><a href="https://twitter.com/pcwalton/status/1181394377081442304" target="_blank"><img class="twitter-avatar" src="https://pbs.twimg.com/profile_images/619088718/twitter-icon_normal.jpeg"></a><p>Idea: The “left-pad index”, a score for Rust crates that combines small size with popularity.

The goal would be to find potential candidates for additions to the standard library, or at least merging into larger crates.</p><span>- Patrick Walton (@pcwalton)</span></div></div>



<a name="177631613"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates.io%20security/near/177631613" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates.2Eio.20security.html#177631613">(Oct 08 2019 at 16:11)</a>:</h4>
<p><span class="user-mention" data-user-id="132723">@Zach Reizner</span> seems like the sort of thing <code>crates-audit</code> could potentially do?</p>



<a name="177632327"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates.io%20security/near/177632327" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates.2Eio.20security.html#177632327">(Oct 08 2019 at 16:18)</a>:</h4>
<p>Interesting. Is that a metric that already exists?</p>



<a name="177632387"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates.io%20security/near/177632387" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates.2Eio.20security.html#177632387">(Oct 08 2019 at 16:19)</a>:</h4>
<p>don't think so...</p>



<a name="177632395"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates.io%20security/near/177632395" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates.2Eio.20security.html#177632395">(Oct 08 2019 at 16:19)</a>:</h4>
<p>I mean, the numbers are there</p>



<a name="177632514"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates.io%20security/near/177632514" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates.2Eio.20security.html#177632514">(Oct 08 2019 at 16:20)</a>:</h4>
<p>Funny your bring this up today because crates-audit has finally choked on some input and fails even after retry.</p>



<a name="177632534"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates.io%20security/near/177632534" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates.2Eio.20security.html#177632534">(Oct 08 2019 at 16:20)</a>:</h4>
<p>So I will need to roll up my sleeves and do some upgrades.</p>



<a name="177633090"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates.io%20security/near/177633090" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates.2Eio.20security.html#177633090">(Oct 08 2019 at 16:27)</a>:</h4>
<p>aah</p>



<a name="177633129"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates.io%20security/near/177633129" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates.2Eio.20security.html#177633129">(Oct 08 2019 at 16:27)</a>:</h4>
<p>still interested in moving it to <a href="https://github.com/rustsec" target="_blank" title="https://github.com/rustsec">https://github.com/rustsec</a> ?</p>



<a name="178808728"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates.io%20security/near/178808728" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates.2Eio.20security.html#178808728">(Oct 22 2019 at 23:29)</a>:</h4>
<p>I love these emails RubyGems sends whenever a gem is released:<br>
<a href="/user_uploads/4715/IGUaymwv8MlVI4A4wIVoIIJx/Screen-Shot-2019-10-22-at-4.28.31-PM.png" target="_blank" title="Screen-Shot-2019-10-22-at-4.28.31-PM.png">Screen-Shot-2019-10-22-at-4.28.31-PM.png</a></p>
<div class="message_inline_image"><a href="/user_uploads/4715/IGUaymwv8MlVI4A4wIVoIIJx/Screen-Shot-2019-10-22-at-4.28.31-PM.png" target="_blank" title="Screen-Shot-2019-10-22-at-4.28.31-PM.png"><img src="/user_uploads/4715/IGUaymwv8MlVI4A4wIVoIIJx/Screen-Shot-2019-10-22-at-4.28.31-PM.png"></a></div>



<hr><p>Last updated: Aug 07 2021 at 22:04 UTC</p>
</html>